From cb01159b9ac07224fffc5b70b256f75256ff8dc3 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Thu, 26 Sep 2024 20:23:20 -0300 Subject: [PATCH] doc: add meeting note 2024-09-26 (#1386) --- meetings/2024-09-26.md | 59 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 meetings/2024-09-26.md diff --git a/meetings/2024-09-26.md b/meetings/2024-09-26.md new file mode 100644 index 00000000..e81622b8 --- /dev/null +++ b/meetings/2024-09-26.md @@ -0,0 +1,59 @@ +# Node.js Security team Meeting 2024-09-26 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=kjb_bOObDk0 +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1382 +* **Minutes Google Doc**: https://docs.google.com/document/d/1rHzDiqZ1XXBChji2R97X1tJUHptMwXSmUgHnR-m_Q3U/edit + +## Present + +* Security wg team: @nodejs/security-wg + +* Rafael Gonzaga: @RafaelGSS +* Ulises Gascón: @UlisesGascon +* Michael Dawson: @mhdawson +* Robert Waite +* Mickaël Salaün + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - The only new issue is question asking about openssl update +- [X] OpenSSF Scorecard Monitor Review + - Last report: https://github.com/nodejs/security-wg/pull/1385 + - No action is needed from the team + +### nodejs/node + +* src: add WDAC integration (Windows) #54364 + * Robert: Most of the suggestions from the last meeting were applied but not pushed due to some inconsistencies with Microsoft docs. I was working with Microsoft folks to have it solved. + * Robert invited Mickaël Salaün to the meeting + * Mickaël Salaün is working on restricting script execution on Linux side (https://lwn.net/Articles/982085/). + * Mickaël Salaün gave a talk about script execution control on Linux last week at the Linux Plumbers Conference: https://lpc.events/event/18/contributions/1692/ (https://www.youtube.com/live/OWURlNpBk5s?t=3420s +) + * We have discussed how it’s being implemented and how we could use it from a Node.js perspective. + +### nodejs/security-wg + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Michael - spent some more time looking at the common container for building WASM - https://github.com/nodejs/security-wg/issues/1236#issuecomment-2375338141 + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * https://github.com/nodejs/node-core-utils/pull/858 + +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) + * no time to discuss it + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +